[ic] Credit Card Info

John Beima interchange-users@interchange.redhat.com
Sun Nov 4 14:27:01 2001


G'Day Robert,

You do realize how completely irresponsible this is rigth? When this e-mail goes
out 1000s if not more can read it... YOU are responsibile for proecting card
numbers that come to you... YOu can probably now also be held responsible for
the card numbers that go to other places becuase you have given this method
out...

This also means there was NO poiont to using SSL to get the information from
your clients in the first place, since you send it out plain text later. If you
clients knew this they would NEVER buy anything from you...

Maybe ou should let them decide with a disclaimer on your order page like "We
know we are using SSL to make you feel secure and to give us your credit card
number, but after that, we store it in about 8 places in plain old text... We
then send it though plain old e-mail where anyone can packet sniff it, and it
gets sent to every machine on our ISP's network while it is in route to ours..."

What do you think they would say? I bet you cc company would yank your ability
to take cc's if they knew you were doing this.

I for one would like to see Mike take an even harder approach against this...
Time to not even accpet the order if a proper processor or pgp is not installed.
If you ISP wont allow you to run pgp, then get a real ISP...


John Beima



Quoting Robert Trembath <robert@ishoptech.com>:

> Work around for CC info
> ------------------------------
> 
> In the directory /usr/lib/interchange/lib/Vend or wherever your IC
> install is in the /lib/Vend directory there is a file called Order.pm.
> 
> Note: I don't recommend you do this unless you are an experienced IC
> developer and have an understanding of IC structure.
> 
> Do a find and replace in your favorite editor for the following in the
> following section only:
> Section: sub route_order (2 places)
> Find:
> ENCRYPTION NEEDED
> Replace with:
> $::Values->{mv_credit_card_info}
> 
> This will print the full credit card number and info on the mail to
> store owner.
> There maybe one other line that needs to be fixed that was sent to me by
> another developer. I will post it Monday when I'm in the office.
> 
> Restart IC after these changes to enable it. Make sure you backup this
> file in case you have a problem with the mod.
> 
> Robert Trembath
> Senior IT Director
> e| robert@ishoptech.com
> 
> 
> -----Original Message-----
> From: interchange-users-admin@interchange.redhat.com
> [mailto:interchange-users-admin@interchange.redhat.com] On Behalf Of
> BWP-BookCenter
> Sent: Sunday, November 04, 2001 10:00 AM
> To: interchange-users@interchange.redhat.com
> Subject: RE: [ic] Credit Card Info
> 
> Robert,
> 
> Please do. For many "small" store owners the ISP does not always install
> the
> PGP correctly, so this will help them.
> 
> Thanks
> 
> Anton
> 
> -----Original Message-----
> From: interchange-users-admin@interchange.redhat.com
> [mailto:interchange-users-admin@interchange.redhat.com]On Behalf Of
> Robert Trembath
> Sent: Sunday, November 04, 2001 10:44 AM
> To: interchange-users@interchange.redhat.com
> Subject: RE: [ic] Credit Card Info
> 
> 
> I have a mod that will print it on the email to the shop owner in 4.8.x
> without messing with encryption if anyone is interested. I've been
> meaning to post it anyway. Let me know and I'll post it.
> 
> Robert Trembath
> Senior IT Director
> e| robert@ishoptech.com
> 
> 
> -----Original Message-----
> From: interchange-users-admin@interchange.redhat.com
> [mailto:interchange-users-admin@interchange.redhat.com] On Behalf Of
> Bernino Lind
> Sent: Sunday, November 04, 2001 1:02 AM
> To: interchange-users@interchange.redhat.com
> Subject: RE: [ic] Credit Card Info
> 
> Just an example:
> 
> In Denmark there was a shop which did exactly that. One day some persons
> stole the mail archive with all the card #'s and began doing nice things
> with various online stores.
> 
> The bank, in this case the shops bank, has the legal responsibility in
> Denmark (I dont know the law else where) so they had to pay the
> transfers of
> money which could not be stopped. Then the bank filed a case against the
> shop for improper storage of card #'s.
> 
> So you should make sure that all such mails are encrypted at the least -
> but
> preferably completely nuke the card #'s as soon as you have gotten your
> money (and hey! Isnt that what its all about ???)!
> 
> --
> med venlig hilsen / Best Regards
> Bernino Lind +45 7021 0050
> catpipe Systems ApS - www.catpipe.net
> Best done FreeBSD solutions
> 
> -----Original Message-----
> From: interchange-users-admin@interchange.redhat.com
> [mailto:interchange-users-admin@interchange.redhat.com]On Behalf Of Jim
> Balcom
> Sent: 3. november 2001 23:59
> To: interchange-users@interchange.redhat.com
> Subject: Re: [ic] Credit Card Info
> 
> 
> On Sat, 3 Nov 2001, Yahoo wrote:
> 
> Y>>This may be very novice question, but we are not a high volume
> operation,
> we
> Y>>really do not need a processing entity at the moment, so I was asked
> to
> have
> Y>>daily reports with clients orders including card #s, I have come to
> discover
> Y>>that the card # is a variable not a field ( I think ), anybody ever
> done
> Y>>this before could enlighten us,
> 
> I suggest that you educate the people that are asking you to do this to
> the
> high risks of allowing credit card numbers to become visible to people
> that
> don't have a need for access to them in order to process the order.
> 
> Perhaps you are a small shop like mine, in which case it's no problem.
> Scotty and I process orders interchangeably, and so we both have full
> access
> to all of the computers, card #,s etc.
> 
> But, once you get much bigger than that, you end up having these number
> floating around, either on computers, or on paper, where people can
> access
> them have no need to, or worse yet, where someone can hack into the
> computer
> and capture them.
> 
> -= Jim =-
> 
> ----------------------------------------------------------------
> Jim's Linux-Operated Underground Bomb Shelter
> 
> Tagline for Saturday, November 03, 2001 at 17:50 PM:
> I tried being reasonable once. I didn't like it.
> 
> ----------------------------------------------------------------
> This Linux System has been up 200 hours
> 
> My web page: http://www.idk-enterprises.com
> ----------------------------------------------------------------
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users@interchange.redhat.com
> http://interchange.redhat.com/mailman/listinfo/interchange-users
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users@interchange.redhat.com
> http://interchange.redhat.com/mailman/listinfo/interchange-users
> 
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users@interchange.redhat.com
> http://interchange.redhat.com/mailman/listinfo/interchange-users
> 
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users@interchange.redhat.com
> http://interchange.redhat.com/mailman/listinfo/interchange-users
> 
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users@interchange.redhat.com
> http://interchange.redhat.com/mailman/listinfo/interchange-users
> 



John Beima
jbeima@palb.com, support@alocalagent.com, and support@alocalchurch.com

P.A.L.B. Systems - Phone: (780)451-1086 - Fax: (780)447-4760
11639-122 Street, Edmonton, Alberta, Canada, T5M 0B6

Affordable Web Pages - Phone: (888)932-9990 - Fax: (256)351-7297
2713B Spring Place SW, Decatur, Alabama, United States, 35603